What you need to know about PSD2 certificate compliance A new regulatory standard in the EU mandates additional security measures for banks and Payment Service Providers, including the use of special Qualified digital certificates.

What is the revised Payment Services Directive (PSD2)? As part of a long-time effort to increase the security, privacy and reliability of electronic payments crossing the borders of EU nations, the European Commission developed the revised Payment Services Directive (EU Directive 2015/2366, also known as PSD2) which came into effect in January 2018. The directive is intended to…

• Contribute to a more integrated and efficient European payments market
• Create a level playing field for Payment Service Providers (PSPs) across the EU
• Make electronic payments more secure
• Provide more consistent consumer protection
• PSD2 covers many facets of the electronic payments market, but notably introduces enhanced privacy and online security measures that must be implemented by banks and PSPs doing business in the EU.

Why do I need Qualified certificates for PSD2? Under PSD2 digital certificates are used to identify banks and PSPs, to verify the roles for which they are licensed, to encrypt communications, and, in some cases, to provide tamperproof seals on data or transactions. Due to the sensitivity of financial services transactions, the PSD2 Regulatory Technical Standards (RTS) specify that only eIDAS certificates issued by a Qualified Trust Service Provider (TSP) may be used for the identification of PSPs.

PSD2 certificate compliance What types of certificates do I need for PSD2 compliance? Qualified Certificate for Website Authentication (QWAC) used with Transport Layer Security (TLS) protocol such as is defined in IETF RFC 5246 or IETF RFC 8446 to protect data in peer-to-peer communications and to identify who controls the end points.